diff --git src/wp-admin/includes/class-wp-privacy-policy-content.php src/wp-admin/includes/class-wp-privacy-policy-content.php
index 9b11d09a66..8cb7f4cf66 100644
--- src/wp-admin/includes/class-wp-privacy-policy-content.php
+++ src/wp-admin/includes/class-wp-privacy-policy-content.php
@@ -409,14 +409,14 @@ final class WP_Privacy_Policy_Content {
 			?>
 			<h4 class="privacy-settings-accordion-heading">
 			<button aria-expanded="false" class="privacy-settings-accordion-trigger" aria-controls="privacy-settings-accordion-block-<?php echo $sanitized_policy_name; ?>" type="button">
-				<span class="title"><?php echo $plugin_name; ?></span>
+				<span class="title"><?php echo esc_html( $plugin_name ); ?></span>
 				<?php if ( ! empty( $section['removed'] ) || ! empty( $section['updated'] ) ) : ?>
-				<span class="badge <?php echo $badge_class; ?>"> <?php echo $badge_title; ?></span>
+				<span class="badge <?php echo esc_attr( $badge_class ); ?>"> <?php echo esc_html( $badge_title ); ?></span>
 				<?php endif; ?>
 				<span class="icon"></span>
 			</button>
 			</h4>
-			<div id="privacy-settings-accordion-block-<?php echo $sanitized_policy_name; ?>" class="privacy-settings-accordion-panel privacy-text-box-body" hidden="hidden">
+			<div id="privacy-settings-accordion-block-<?php echo esc_attr( $sanitized_policy_name ); ?>" class="privacy-settings-accordion-panel privacy-text-box-body" hidden="hidden">
 				<?php
 				echo $removed;
 				echo $section['policy_text'];
diff --git src/wp-admin/includes/widgets.php src/wp-admin/includes/widgets.php
index a5d65a7513..406bb84b35 100644
--- src/wp-admin/includes/widgets.php
+++ src/wp-admin/includes/widgets.php
@@ -109,7 +109,7 @@ function wp_list_widget_controls( $sidebar, $sidebar_name = '' ) {
 	if ( ! empty( $description ) ) {
 		?>
 		<div class="sidebar-description">
-			<p class="description"><?php echo $description; ?></p>
+			<p class="description"><?php echo esc_html( $description ); ?></p>
 		</div>
 		<?php
 	}